70-412: Configuring Advanced Windows Server 2012 services Chapter 4 Configuring Network Services

  • View

  • Download

Embed Size (px)


PowerPoint Presentation

70-412: Configuring Advanced Windows Server 2012 servicesChapter 4Configuring Network Services1Objective 4.1: Implementing an Advanced Dynamic Host Configuration Protocol (DHCP) Solution2Dynamic Host Configuration Protocol (DHCP)The Dynamic Host Configuration Protocol (DHCP) is a network protocol that automatically configures the IP configuration of a device including assigning an IP address, subnet mask, default gateway, and primary and secondary Domain Name System (DNS) servers. Most clients and some servers that connect to a network receive their address from a DHCP server including home routers/modems and office networks. In addition, the DHCP technology and protocol has become a necessary component of Windows Deployment Services (WDS) and Network Access Protection (NAP). 2013 John Wiley & Sons, Inc.33DHCP OptionsDHCP options are not required for use by DHCP. Organizations should automatically configure these options so that they do not have to be manually configured:Option 3 RouterOption 6 DNS serversOption 15 Domain nameOption 44 WINS/NBNS serversOption 46 WINS/NBT node type 2013 John Wiley & Sons, Inc.4DHCP and DNSBy default, the DHCP server dynamically updates the DNS address host (A) resource records and pointer (PTR) resource records only if requested by the DHCP clients. By default, the client requests that the DHCP server register the DNS PTR resource record, while the client registers its own DNS A resource record. The DHCP server discards the A and PTR resource records when the clients lease is deleted. To change how DHCP registers and deletes DNS A and PTR resource records, configure it by right-clicking the IPv4 node or scope, clicking Properties, and clicking the DNS tab.

2013 John Wiley & Sons, Inc.5ReservationsDHCP client reservations allow administrators to reserve an IP address for permanent use by a DHCP client. By using reservations, you can ensure that the host will always have the same IP address. As with any other lease, when a client receives a reserved address, the client also receives all assigned options such as addresses of the default gateway and DNS servers. If these options are changed, they will automatically be updated on the client when the lease is renewed. 2013 John Wiley & Sons, Inc.6DHCP Server AuthorizationA rogue DHCP server: Is a DHCP server on a network that is not under the organizations administrative control. Can be used to interrupt network access, bypass network security, and capture private information using a man-in-the-middle attack. To protect a network from rogue DHCP servers, if the DHCP server is part of an Active Directory domain, you must authorize the DHCP server before it can hand out IP addresses. You must be an Enterprise Admins to authorize the DHCP server. If the server is a stand-alone server, Windows will verify whether it is a DHCP server on the network, and it will not start the DHCP service if there is one.

2013 John Wiley & Sons, Inc.7DHCP PoliciesStarting with Windows Server 2012, by using DHCP policies, you can give granular control over scopes, which allows you to assign different IP addresses or different options based on the device type or its role. Policies are applicable for a specific scope with a defined processing order. Options can be configured at the scope or inherited from server-wide policies. 2013 John Wiley & Sons, Inc.8SuperscopesA superscope groups multiple scopes into a single administrative entity. By using superscopes, you can support larger subnets.A superscope can be used if a scope runs out of addresses and you cannot add more addresses from the subnet.Before creating a superscope:Add a new subnet to the DHCP server. Perform multi-netting, where you lease addresses to clients in the same physical network, but the clients will be in a separate network logically by subnet. Configure routers to recognize the new subnet so that you ensure local communications in the physical network.

2013 John Wiley & Sons, Inc.9SuperscopesYou can only create a superscope if you have two or more IP scopes already created in DHCP. You can use the New Superscope Wizard to select the scopes that you want to combine together to create a superscope.

2013 John Wiley & Sons, Inc.10Multicast ScopesClass D addressesdefined from to used for multicast addresses. In DHCP, multicast scopes, commonly known as Multicast Address Dynamic Client Allocation Protocol (MADCAP) scopes, allow applications to reserve a multicast IP address for data and content delivery. Applications that use multicasting request addresses from the scopes needed to support the MADCAP application programming interface (API).

2013 John Wiley & Sons, Inc.11Multicast ScopesCreating and managing a multicast scope is similar to creating and managing a normal scope.Multicast scopes cannot use reservations and you cannot set additional options such as DNS and routing. Because multicast is shared by groups of computers, the default duration of a multicast scope is 30 days.

2013 John Wiley & Sons, Inc.12DHCPv6 AddressesIPv6 addresses utilize a 128-bit address space to provide addressing for every device on the Internet with a globally unique address. Because IPv6 addresses use 128 bits, the addresses are usually divided into groups of 16 bits, written as 4 hex digits. Hex digits include 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F. Colons separate the groups. This is an example of an IPv6 address:FE80:0000:0000:0000:02C3:B2DF:FEA5:E4F1

2013 John Wiley & Sons, Inc.13DHCPv6 AddressesThe first 64 bits of an IPv6 address define the network address, and the second 64 bits define the host address. In the previous example address, FE80:0000:0000:0000 defines the network bits and 02C3:B2DF:FEA5:E4F1 defines the host bits. The network bits are also further divided where 48 bits are used for the network prefix and the next 16 bits are used for subnetting. The remaining host bits are 64 bits. 2013 John Wiley & Sons, Inc.14IPv6 AddressingIPv6 host addresses can be configured with stateful or stateless mode. Because the two address configuration modes are independent of each other and will not trample over each other, a host can use both stateless and stateful address configuration.

2013 John Wiley & Sons, Inc.15Stateless MechanismStateless mechanism is used to configure both link-local addresses and additional non-link-local addresses based on Router Solicitation and Router Advertisement messages with neighboring routers. With stateless autoconfiguration, the MAC address is used to generate the host bits. When using stateless configuration, the address is not assigned by a DHCP server. However, a DHCP server can still assign other IPv6 configuration settings.Stateful configuration has IPv6 addresses and additional IPv6 configuration assigned by a DHCPv6 server.

2013 John Wiley & Sons, Inc.16High Availability for DHCPTo make DHCP highly available, you can use one of the following methods:Split scopesServer clusterDHCP failoverStandby server 2013 John Wiley & Sons, Inc.17Configuring Split ScopesFor years, if you wanted high availability, you would use a split-scope configuration:Also known as 80/20 configuration Uses two DHCP servers with the same scopes and options However, the scopes have complementary exclusion ranges, so there is no overlap in the addresses that they lease to clients. You do not want the two servers to hand out the same address to different clients. 2013 John Wiley & Sons, Inc.1880/20 Split 2013 John Wiley & Sons, Inc.19

DHCP FailoverDHCP failover supports two modes:Load Sharing: Both servers simultaneously supply IP configuration to clients. By default, the load is distributed evenly, 50:50. However, you can adjust the ratio if you prefer one server over another. Load Sharing is the default mode.Hot Standby: One server is the primary server that actively assigns IP configuration for the scope or subnet, and the other is the secondary server that assumes the DHCP role if the primary server becomes unavailable. Hot Standby mode is best suited when the disaster recovery site is located at a different location. 2013 John Wiley & Sons, Inc.20DHCP Name ProtectionIf an organization uses only Windows systems that are part of an Active Directory domain, each computer will have its own unique computer name, which DHCP registers in DNS on behalf of the client. Name squatting is when a non-Windows-based computer registers a name in DNS that is already registered to a Windows-based computer. To prevent conflicts when non-Microsoft systems overwrite systems that use static addresses, Windows Server 2012 introduced DHCP Name Protection.

2013 John Wiley & Sons, Inc.21Objective 4.2: Implementing an Advanced DNS Solution22Security for DNSWindows Server 2012 adds a number of new features to domain name system (DNS) security. Securing the DNS server and DNS records prevents false records from being added and prevents clients from receiving incorrect DNS query responses, which can lead them to visit phishing sites or worse. To prevent DNS being used to attack systems, implement DNS Security (DNSSEC), Cache Locking, and other security measures.

2013 John Wiley & Sons, Inc.2323DNS Security (DNSSEC)A client that uses DNS to connect is always vulnerable to redirection to an attacker's servers unless the zone has been secured using DNSSEC. The process for securing a zone using DNSSEC is called signing the zone. Once signed, any queries on the signed zone will return digital signatures along with the normal DNS resource records. The digital signatures are verified using the public key of the server or zone from the trust anchor. DNSSEC uses trust anchors represented by public keys that define the top of a chain of trust. The trust anchor verifies tha